Download 256 Bit Key — Is It Big Enough?

256 Bit Key — Is It Big Enough?
Atmel White Paper
Author:
Kerry Maletsky, Crypto Products Business Unit Director
Abstract
Most cryptographic algorithms, devices, or protocols are limited in security by the size of their key or
other secret. This white paper addresses the use of cryptography for the purpose of product
authentication whether it be a physical item or a logical block of firmware, and the key size necessary to
be confident that it will not be guessed.
Atmel-8668B-CryptoAuth-256-Bit-Key-Is-It-Big-Enough-WhitePaper_042013
Authentication
Development of products using the latest technology costs a lot of money. The greater the
development cost, the greater the temptation to clone the product. Counterfeit goods comprise
between 1% and 5% of worldwide trade, and it is growing at an alarming rate.
Since the cloner doesn’t have a reputation to protect, quality and performance often suffer. The
cloner can make a greater profit and offer the product at a lower cost by bypassing the development
process and cutting corners on product safety and reliability.
•
•
•
The result can be annoying if an ink cartridge fails.
It can be expensive if a counterfeit battery damages the end-product.
It can be life-threatening if a medical consumable is below standard.
Another issue is microprocessor firmware. Hackers are constantly figuring out ways to defeat
product features intended to product the end-user from unauthorized firmware downloads. While
opening up a mobile phone to additional service providers may seem attractive, it puts the phone at
risk of getting malware that could compromise the end-users personal information or damage the
phone itself.
The harm done to the end-user by counterfeit products or software can:
•
•
•
•
Damage the reputation of the OEM.
Increase product liability.
Increase maintenance and warranty costs.
Decrease future sales.
How to Authenticate Something
OEMs have always tried to protect their products and guarantee their authenticity in a variety of
ways. There are many procedures that are in common use to authenticate items:
Source:
If we trust the seller and we believe in the reputation of the shipper, then we might use this as a
method of authentication. It is easy to see potential issues:
•
Truly secure shipping, such as an armored truck, with 100% control over the item at every
instant of the process, is quite expensive and rarely used. While uncommon, various kinds of
substitutions can take place without even the shipper knowing.
•
Even a reputable seller may not have complete control over their own supply chain. They
may have been tricked in some way to offer counterfeit products under their own good name.
•
We assume that some sellers, such as a sidewalk vendor selling $100 baseball jersey for
$15, sell counterfeit goods. Yet the street vendor hasn’t manufactured the items. What other
sale channels is the counterfeit manufacturer using?
256 Bit Key — Is It Big Enough? [WHITE PAPER]
Atmel-8668B-CryptoAuth-256-Bit-Key-Is-It-Big-Enough-WhitePaper_042013
2
Physical Attributes:
For items that has a unique physical shape, such as computer batteries, printer toner cartridges, or
even vacuum cleaner bags, we often just assume that if the label ‘looks’ authentic, carries the right
logos, and the product ‘works’, that it is authentic.
•
It’s hard to disbelieve our eyes.
If the computer works, the printer prints, or the vacuum cleaner cleans; that often serves to
convince us, although, we know that cloned versions are available, and printing counterfeit
labels is cheap.
•
We may not ever find out the truth.
How many people actually:

Count the number of pages their replacement toner cartridge actually printed?

Can tell what size particles are being passed right through that vacuum cleaner bag?
Holograms:
This is common for clothing and many other retail items. The tags look good and appear to be hard
to reproduce using equipment we are familiar with, but enter “hologram printing” on any search
engine, and you can find many companies willing to print these for you.
•
A related confidence builder is a metalized label with a serial number embossed in it;
however, these are no more difficult to duplicate than a hologram.
Passwords:
We are familiar with these to log into our computers or access accounts/information on a web site.
But they are also often used internally in a controller-based system to validate a separate device,
board, consumable or network device. Or they may be used to control ‘special’ access to the
system for configuration, maintenance, etc. Shared secret encryption keys are a close cousin of
passwords, with the same advantages and disadvantages:
•
There is usually no place to safely store the expected password on the receiving system, so
if an attacker has access to that system he/she can extract that value from the EEPROM,
FLASH or other nonvolatile device.
•
Usually, it’s easy for an attacker to find a way to ‘watch’ the system when it’s in use and
discover the password as it is being passed from one system element or another. Or the
attacker might record the entire session and just replay it at a later date to repeat the benefit
the first user obtained.
•
A somewhat more complex version of this kind of security is to include a public key signature
of the serial number in a consumable. The host device can validate the signature without
having to store any secrets. But since both the serial number and signature are typically
stored in an unsecure device, they can easily be read and copied into the clone device.
256 Bit Key — Is It Big Enough? [WHITE PAPER]
Atmel-8668B-CryptoAuth-256-Bit-Key-Is-It-Big-Enough-WhitePaper_042013
3
Smart Card:
Some providers of satellite, cable, or other media use a smart card to authenticate a user to the
network. The user plugs the card into the setup box in order to make the media available. These are
often very secure; however, they are not perfect for all applications.
•
They may physically be impractical if the device is too small, is used in a wet or dirty
environment, or if the end use (many consumer items) mandates no parts to lose.
•
•
Smart cards can cost $5 per unit. Way too much for an end-product priced under $100.
The total system cost is even higher since a physical reader slot and connector has to be
supplied in addition to the cost of the electronics to support the ISO 7816 interface and the
cost of the card itself.
Low-cost, Cryptographic Authentication Technology
to the Rescue
Hardware authentication devices have been available for some time. Only recently have they been
able to combine proven and robust cryptography with low cost and ease of use in the typical
microprocessor-based application. Virtually all security devices contain some sort of secret along
with a cryptographic processing element. Generally, the secret can never be read from the device;
rather, the secret is combined with input data using a protocol that proves the knowledge of the
secret without revealing it.
Cryptographic devices with wired or wireless interfaces are available with increasingly impressive
capabilities that can make the counterfeiter’s task very difficult. Wired devices may be soldered
down on a board with other system components, or may be attached to a consumable and
connected to the system via contacts. Wireless RFID devices don’t require contacts and are
optimal when the environment is challenging.
Usually, these authentication devices incorporate a serial number and offer several advantages
over any other kind of serial number storage:
•
The number can be changed, since it is programmed into the silicon by the device
manufacturer.
•
The serial number can be cryptographically connected to secret keys on the device which
cannot be read or copied. The attacker needs both the serial number and the secret key to
build a counterfeit device.
•
The device can provide a way to combine a dynamic, random challenge from the Host with
the serial number. A much better solution than the static signature mechanism discussed
above which is susceptible to copying.
®
The Atmel CryptoAuthentication™ family is the newest of this breed of devices. Incorporating
security features developed from a long history of security devices, it provides an unprecedented
combination of security and ease of use at a cost that is lower than that of existing authentication
devices.
256 Bit Key — Is It Big Enough? [WHITE PAPER]
Atmel-8668B-CryptoAuth-256-Bit-Key-Is-It-Big-Enough-WhitePaper_042013
4
The Atmel CryptoAuthentication devices use:
•
•
SHA-256 hash algorithm to avoid any known algorithm weaknesses.
•
•
•
•
Internal clock and voltage generation.
Incorporate a full active metal shield over the entire internal circuitry — if an attacker cuts or
shorts any wire in the shield, the device stops functioning.
Fully encrypted memories.
Tamper detection.
Fully secure production test methods.
Modern processing technology allows the devices in this family to be incorporated in a SOT23
package which is less than 2mm x 3mm – tiny enough to be incorporated in the most space
constrained portable systems, incorporated inside battery packs, or fit on existing PC boards
without even increasing their size.
All members of the CryptoAuthentication Family include:
•
•
48 bit serial number which is guaranteed to be unique and
The appropriate cryptographic protocol to validate that the number is not a simple copy on a
counterfeit product.
A Single-Wire Interface simplifies the mechanical connection to the device while reducing the
number of GPIO or UART resources required on the Host microcontroller. An automatic sleep
mode reduces the standby current to less than 100nA when the crypto operations are completed.
The straightforward challenge-response mechanism of the CryptoAuthentication devices, along
with the use of an algorithm that is widely supported by commercial and open source software
libraries, simplifies the programming requirements.
Two important characteristics of every cryptographic device are the size of the key and the strength
of the algorithm. It’s pretty easy to imagine that bigger keys are better — but, how big is too big?
While it’s tempting to think that the newest secret algorithm is the best, “security through obscurity”
is generally considered to be very risky. Crypto experts prefer algorithms that are well publicized
and have been analyzed by lots of clever people over years. The following sections discuss these
concepts in more detail.
Is a 256 Bit Key Big Enough?
As computational ability rapidly increases, more concern is being placed on the key size in
cryptographic devices. Individuals commonly have a quad processor 4GHz computer on their
desks, so trying billions of possibilities to crack a secret key is pretty easy. These attacks are
usually called “offline” attacks since the attacker doesn’t use the Host or Client system to try each
possibility. Instead, the attacker uses external computers to mimic the computation of the
authentication device to guess the stored secret, trying to generate a sequence of bits which
matches that which was recorded once on the authentic system.
In the simplest example, a brute force attack, the attacker gets a complete or partial clear text
message, and the corresponding version of the message encrypted with the key the attacker wants
to crack. The attacker then successively tries each possible key until he finds the one that creates
the correct encrypted message. If there are n bits in the key, then after 2n-1 attempts, the attacker
has a 50% chance of finding the right key. After 2n attempts, he has tried all possible keys and is
guaranteed to have found the key.
256 Bit Key — Is It Big Enough? [WHITE PAPER]
Atmel-8668B-CryptoAuth-256-Bit-Key-Is-It-Big-Enough-WhitePaper_042013
5
The only protection against such a brute force attack is to choose an algorithm that uses a key so
big that it will simply take too long to try a very large percentage of the possibilities. Keys that were
big enough 10 years ago are not big enough now because of the exponential growth in computing
power. Below are some well publicized successful brute force exploits:
•
An array of 64 Virtex-5 FPGAs from Xilinx can successfully find a 48-bit key in less than an
®
hour. The Mifare cryptographic memory device used widely around to protect electronic
purse contents uses 48-bit keys.
See http://www.usenix.org/events/sec08/tech/full_papers/nohl/nohl.pdf.
•
The official encryption standard adopted by the United States in 1976, Data Encryption
Standard (DES), uses a larger 56-bit key. Several machines have been built that can find a
key through brute force in less than a week.
See http://en.wikipedia.org/wiki/EFF_DES_cracker
Although no successful brute force attacks have been reported for commercial devices using
algorithms with key sizes greater than 56 bits, it is expected that algorithms with larger key sizes will
eventually become vulnerable with increasing computational ability. As of the writing of this paper,
the US Government is recommending Advanced Encryption Standard (AES) with a 128 bit key for
government encryption purposes. Setting aside any mathematical weaknesses in AES (if they
exist), this means that the government believes that attacks against a key space this large will be
impractical for some years to come; however, with computing power doubling every 18 months or
two years (see http://en.wikipedia.org/wiki/Moore%27s_law), 128-bit keys will eventually become
“crackable” using brute force attacks.
As a result, some system designers look for even larger keys to ensure that a system they design
today will still be secure during its entire life. Even after much larger and faster computers are
available to hackers. A key size of 256 bits is so big that all cryptographers agree it is immune from
256
exhaustive attacks. Just how big is 2 ?
Here are some estimates of big numbers:
66
Number of grains of sand on the earth.
76
Number of stars in the universe.
79
Avogadro's number. The number of carbon atoms in 12 grams of coal.
96
Number of atoms in a cubic meter of water.
190
Number of atoms in the sun.
255
Number of attempts to find the key in this device.
2
2
2
2
2
2
What about very well funded entities such as the US National Security Agency (NSA)? Could they
build a machine to crack a 256 bit key? Assume they could build a theoretical nanocomputer that
13
executes 10 instructions per second (approximate rate of atomic vibrations) in a space of a cube
with a side that is 5.43nm across (This is the approximate size of a silicon lattice10 atoms wide, or
a crystal containing 1,000 silicon atoms). Assume that it could calculate an attempt in 10 cycles. A
13
computer the size of the earth would take more than 10 years (roughly 58 times the estimated age
of the earth) to attack a 256 bit algorithm via brute force.
256 Bit Key — Is It Big Enough? [WHITE PAPER]
Atmel-8668B-CryptoAuth-256-Bit-Key-Is-It-Big-Enough-WhitePaper_042013
6
Is a 256 Bit Key TOO Big?
There are a few downsides to larger keys. They increase the complexity of low cost authentication
devices in a number of ways.
•
More internal memory storage to retain keys and temporary values:
Usually the largest blocks on most devices are the memory arrays. Doubling the size of the
keys typically doubles the total amount of nonvolatile and volatile data memory which could
therefore increase the device cost; however, as the line widths in devices shrink, the core
size of the memory cells becomes a smaller and smaller percentage of the total device area
reducing this cost penalty proportionally.
•
More logic gates and hence larger, more costly devices:
It’s generally reasonable to assume that doubling the size of the key will double the size of
the logic to implement the block. Alternatively, the same logic size could be used at a penalty
of perhaps two to four times the computation time, depending on the algorithms in question.
Implementing the device in a newer technology with smaller transistors can offset this
disadvantage.
•
More transmission time:
Typically, both the challenge and the response are the same size as the key (if not, then the
shortest of the three can be attacked more easily than the other). So, doubling the key size
will double the transmission time for the transaction. Since authentication is done
infrequently (perhaps on power up only), this penalty matters less in the overall scheme.
Cryptographic professionals (and hackers) are a creative bunch. Even though the time scales in the
previous section seem daunting, new attack procedures could be found that might simplify the task
by a factor of 2, or 2,000 or 2,000,000. Increasing the search space with a larger key helps to
ensure that even with these advances. It will remain extraordinarily difficult to guess a 256 bit key
anytime soon.
Why Not Just Keep the Hash Algorithm Secret?
If the attacker doesn’t know the algorithm, then implementing a brute force attack is impossible
since the attacker can’t compute the output even if he knows the key. Systems like this were the
historical norm until recently.
This is still a reasonable strategy in some situations, especially where there is a limit on the
complexity of the encryption hardware (perhaps for cost or power consumption reasons) and/or
insufficient key storage mechanism. Good examples of this situation would be RFID tags which
cannot consume very much current nor cost more than the value they protect, perhaps a single trip
on a subway.
Nonetheless, such systems are being used less and less in favor of systems constructed from
widely studied open algorithms. This has been made possible by advances in semiconductor
technology that permit logic gates to cost less and consume less power at the same time.
256 Bit Key — Is It Big Enough? [WHITE PAPER]
Atmel-8668B-CryptoAuth-256-Bit-Key-Is-It-Big-Enough-WhitePaper_042013
7
It’s very hard to maintain the secrecy around algorithms:
•
The German WW2 Enigma machine was secret only until one was captured by the Allies,
and its weaknesses were uncovered by clever mathematicians.
•
The encryption algorithm originally encrypting European GSM cell phone conversations was
protected by a non-disclosure agreement (NDA) until a university accidentally disclosed it
without getting a signature on an NDA. It was promptly broken, and the attack published.
•
The encryption algorithm in the Mifare devices (see above) was teased out of the logic on the
device by another university team that legitimately purchased devices that implemented the
algorithm. They studied the logic under a microscope to find out how it worked.
Better hardware design strategies that include countermeasures for historical and anticipated
security attack methodologies can increase the useful life of systems with secret algorithms further
into the future.
On Hash Algorithms
Cryptographic hash algorithms are designed to convert or compress a variable length message into
a fixed-length string called a digest. If the digest uniquely identifies the message then the digest can
be used as a stand-in for the message and shortening the computation time for various operations.
While many algorithms can be used for simple hashing functions, a cryptographic hash algorithm
has a few important properties:
•
It should be very difficult to find two messages for which the digest is the same. If two such
messages do exist, this is said to be a collision.
•
Given a particular digest value, it should be very difficult to create a message that would
produce that digest.
•
It should be relatively easy to create the digest from the message.
Digests can be used to verify the integrity of the message by performing some cryptographic
operation using both a secret key and the message digest, the output of which can be used for
message validation. If the recipient of this validity code has the knowledge of the secret key, he or
she can be confident that the message sent along with the code was not modified while in transit.
When used in this way, such a validity code is usually called a Message Authentication Code
(MAC). Usually we say that attached to a message is a MAC, which was generated using both the
message and a secret key. The MAC algorithm is considered to be strong if it is very difficult for the
attacker to create message/MAC pairs without knowledge of the secret. As well, it should be
impossible for the attacker to change the message in a way that the same MAC would match it.
Hash algorithms are often used to implement MAC algorithms.
The SHA-1 and MD5 hash algorithms have been widely used for cryptographic purposes; however,
recent mathematical analysis has shown that there may be weaknesses in these algorithms. As a
result, they have been replaced in the suite of algorithms recommended for use by the US
Government with the SHA-2 family. The best known of the algorithms in the SHA-2 family is
SHA-256.
256 Bit Key — Is It Big Enough? [WHITE PAPER]
Atmel-8668B-CryptoAuth-256-Bit-Key-Is-It-Big-Enough-WhitePaper_042013
8
The typical attack on hash algorithms is to find a collision — two messages that hash to the same
digest. The reason for this is twofold:
1. If the hash algorithm is being used as part of a message authentication or signature scheme,
then the attacker can create one message that the sender authenticates but substitute the
other message which the recipient will believe to be authentic. This would have significant
benefits for the attacker — if the attacker could change the shipping address on an order for
instance, he could receive the goods without paying for them.
2. Due to the Birthday Paradox (http://en.wikipedia.org/wiki/Birthday_paradox), this kind of
attack takes far less attempts than is obvious. If the digest has n bits, then only 2n/2 random
messages need to be hashed in order to find a collision. This is the same as cutting the
number of bits in half!
As a result, cryptographers have put a great deal of effort into finding ways to create two messages
that collide. For SHA-1, while the expected strength against attacks would be to require 280
attempts, the current state of the art attacks require only 263 attempts, potentially within range of a
brute force attack.
The Birthday Paradox requires that the attacker randomly select pairs of messages. This seems to
limit its usefulness. An example with an email message shows why it’s very powerful. We can’t see
space characters at the end of a line in a simple text email, but there may be a variable number at
the end of each line. If the message is relatively long, it’s easy to see how a huge number of
messages can be generated each of which appears identical but all of which are actually unique. A
similar concept can be used with an image attachment — two images may appear to our eyes to be
identical but may in fact be very different at the bit level.
The brute force birthday attack does not work on most authentication devices; however, for a few
specific reasons:
•
The usual implementation of the birthday attack is to compute digests of 2n/2 versions of the
original message all of which appear to be the same and 2n/2 versions of a beneficially
fraudulent message and compare all of the digests in the first set with all the digests in the
second set. Since in authentication devices, all the bits of the original message are known to
the verifier (the message is short and of a fixed format), the first set can’t be created which
forces the second set to be 2n in length.
•
Incorporating a unique nonce into the message prevents pre-computing digests of a large
array of messages that might be compared to those recorded during each of many
authentication operations. This is because each ‘correct’ message contains a shared
element (the nonce) that is different from all previous ‘correct’ messages. Care must be taken
to ensure that nonces are not reused.
Some attacks to find collisions are made easier by being able to vary the length of the message.
The fixed length message property of authentication devices can inhibit these. This property also
inhibits “length-extension” attacks in which an attacker can ‘extend’ an unknown message with a
known value and create the proper digest for the new extended message. Combining a hash
algorithm with the HMAC construction also prevents length extension attacks.
256 Bit Key — Is It Big Enough? [WHITE PAPER]
Atmel-8668B-CryptoAuth-256-Bit-Key-Is-It-Big-Enough-WhitePaper_042013
9
Is the Latest and Greatest Algorithm Sufficient?
Attacks on the algorithm itself can be prevented by using the latest and greatest algorithm. But this
is not enough. While authorized systems interact with these security devices according to the
datasheets, the attacker has access to a whole range options well outside the normal operating
range up to and including removing the package from around the device and analyzing the very
components within the device.
Since the purpose of these algorithms is to prevent the security device from having to reveal its
stored secret key in the clear, the algorithm must be combined with a whole range of additional
protections to ensure the secret cannot be obtained by means other than a cryptographic attack.
•
Physical Protection Against Attacks:
Equipment to probe internal nodes of operating devices is widely available, so authentication
devices should include:

Active shields to cover internal nodes

Use the latest processing technology to reduce the size of the internal nodes.

Incorporate multiple layers of internal interconnects, preferably more than three layers.
All of these make micro-probing more difficult
•
Secure Cryptographic Protocols:
Most algorithms have known weaknesses if used in an improper way; therefore, the way in
which the device uses the algorithm must facilitate its secure use. Since an attacker can
usually record every bit going back and forth between the device and an authentic system,
the protocol must provide anti-replay protection.
•
Environmental Extremes:
For example, fast clock rates or supply voltages that violate the datasheet can often cause a
device to malfunction. In some cases, this malfunction can permit the secrets to be read from
the device. State of the art secure designs prevent this from occurring by controlling the
environment or detecting extremes and shutting the device down.
•
Improper Command or I/O Usage:
Many programmers are familiar with stack or memory overflow attacks against some
systems which occur when some function is presented with extraordinarily large inputs or
passed an illegal value. Well designed security devices are specially constructed to carefully
analyze every input and reject all but those which are acceptable.
•
Information Leakage:
Beyond the expected I/O channel, there are other ways in which information may pass from
the device to the attacker. Perhaps the timing of an operation indicates something about the
internal secret. An attacker can measure the current flow into the device over time to see if
there is an unusually large or small current flow for one condition or the other. Sometimes
there may be some sort of electromagnetic emission that can be measured. While no device
can provide perfect protection against every kind of known or unknown leakage, security
device designers are familiar with these attacks and can provide a significant level of
protection.
256 Bit Key — Is It Big Enough? [WHITE PAPER]
Atmel-8668B-CryptoAuth-256-Bit-Key-Is-It-Big-Enough-WhitePaper_042013
10
Conclusion
There are broad reputation, safety, liability, and profit reasons to incorporate hardware
authentication in all new designs. High quality authentication solutions are available to protect a
wide range of items from cloning, fraudulent modification, secret disclosure, or other types of
misuse. The elements being protected can include software/firmware modules, media files,
medical consumables and records, electronic consumables such as batteries and printer toner
cartridges, other retail consumables such as filters, and wireless or network transmissions, just to
name a few.
So long as the device or Host device contains some sort of microprocessor or Host computer,
modern authentication devices can be used to bring a level of security to the design that was never
before achievable. The availability of proven cryptographic algorithms simplifies the
implementation so the designer doesn’t have to be a crypto expert.
When selecting an authentication solution for products, the designer needs to find the right balance
between cost, security, and speed for their application. In addition, the designer should consider
the lifetime of the product in the market to ensure that the authentication mechanism will still be
secure at the end of the useful product life.
For applications that don't require lots of memory storage, or different cryptographic protection for
different sections of the device memory, and multiple algorithms on the same device, cryptographic
authentication ICs can offer the highest level of security at prices that make them appropriate in
most mass markets.
While Moore’s law dictates that the counterfeiter will have access to progressively cheaper and
faster computation horse power with which to build the clone device or crack the keys, it also
means that high security devices with progressively greater security and lower cost are available to
the legitimate OEM. In the case of key size, bigger is always better.
Editor’s Note About Atmel Corporation
Atmel is a leader in microcontrollers and touch solutions. Headquartered in San Jose, CA, Atmel
(NASDAQ: ATML) has 40 local sales offices worldwide. Atmel is a worldwide leader in the design
and manufacture of microcontrollers, capacitive touch solutions, advanced logic, mixed-signal,
nonvolatile memory and radio frequency components. With wafer fabrication locations in Colorado
Springs, CO, and third party foundries, Atmel is able to provide the electronics industry with
complete system solutions focused on industrial, consumer, security, communications, computing,
and automotive markets. In addition, the company has test and assembly facilities in the
Philippines and subcontractors, employing nearly 5600 employees worldwide.
Further information can be obtained from the Atmel website at www.atmel.com.
Contact: Kerry Maletsky, Crypto Products Business Unit Director, Colorado Springs, CO, USA
T: (+1) (719) 540.1848 / email: [email protected]
256 Bit Key — Is It Big Enough? [WHITE PAPER]
Atmel-8668B-CryptoAuth-256-Bit-Key-Is-It-Big-Enough-WhitePaper_042013
11
Atmel Corporation
1600 Technology Drive, San Jose, CA 95110 USA
T: (+1) (408) 441.0311
F: (+1) (408) 436.4200
│
www.atmel.com
© 2013 Atmel Corporation. All rights reserved. / Rev.: Atmel-8668B-CryptoAuth-256-Bit-Key-Is-It-Big-Enough-WhitePaper_042013
®
®
Atmel , Atmel logo and combinations thereof, Enabling Unlimited Possibilities , CryptoAuthentication™, and others are registered trademarks or trademarks of Atmel
Corporation or its subsidiaries. Other terms and product names may be trademarks of others.
DISCLAIMER: The information in this document is provided in connection with Atmel products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted
by this document or in connection with the sale of Atmel products. EXCEPT AS SET FORTH IN THE ATMEL TERMS AND CONDITIONS OF SALES LOCATED ON THE ATMEL WEBSITE,
ATMEL ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL ATMEL BE LIABLE FOR ANY DIRECT,
INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS AND PROFITS, BUSINESS INTERRUPTION,
OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF ATMEL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Atmel makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and products
descriptions at any time without notice. Atmel does not make any commitment to update the information contained herein. Unless specifically provided otherwise, Atmel products are not suitable for,
and shall not be used in, automotive applications. Atmel products are not intended, authorized, or warranted for use as components in applications intended to support or sustain life.
SAFETY-CRITICAL, MILITARY, AND AUTOMOTIVE APPLICATIONS DISCLAIMER: Atmel products are not designed for and will not be used in connection with any applications where the failure
of such products would reasonably be expected to result in significant personal injury or death (“Safety-Critical Applications”) without an Atmel officer's specific written consent. Safety-Critical
Applications include, without limitation, life support devices and systems, equipment or systems for the operation of nuclear facilities and weapons systems. Atmel products are not designed nor
intended for use in military or aerospace applications or environments unless specifically designated by Atmel as military-grade. Atmel products are not designed nor intended for use in automotive
applications unless specifically designated by Atmel as automotive-grade.
256 Bit Key — Is It Big Enough? [WHITE PAPER]
Atmel-8668B-CryptoAuth-256-Bit-Key-Is-It-Big-Enough-WhitePaper_042013
12